From 070b14044f29e0db5abb3a972ac3f141c25c7ee7 Mon Sep 17 00:00:00 2001
From: Dov Benyomin Sohacheski <b@kloud.email>
Date: Wed, 13 May 2026 11:02:58 +0300
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=93=9D=20Add=20dive=20to=20feature=20?=
 =?UTF-8?q?catalog?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/editor/features.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/editor/features.md b/docs/editor/features.md
index 3a98015..ab7cb07 100644
--- a/docs/editor/features.md
+++ b/docs/editor/features.md
@@ -174,8 +174,9 @@ For more information, visit our [contribution guide](/contribute/).
 | `codex`                     | codex CLI                                  | *v0.0.20* |       |
 | `conan`                     | Conan CLI and related tools                | *v0.0.21* |       |
 | `continue`                  | cn CLI and continue extension              |           |       |
-| `cpp`                       | C++ and related tools                      |           |   ✅   |
+| [**`cpp →`**](/tools/cpp)   | C++ and related tools                      |           |   ✅   |
 | `dagger`                    | dagger.io CLI and SDK                      |           |       |
+| `dive`                      | Image-layer explorer TUI                   |           |       |
 | `doctl`                     | DigitalOcean CLI                           | *v0.2.0*  |       |
 | `dotnet`                    | .NET framework and related extensions      |           |   ✅   |
 | `gcloud`                    | Google Cloud CLI for GCP                   |           |   ✅   |

From 494925925c5c4498426f1758d1ade10cbb4a2a52 Mon Sep 17 00:00:00 2001
From: Dov Benyomin Sohacheski <b@kloud.email>
Date: Wed, 13 May 2026 12:24:55 +0300
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=9A=A7=20WIP?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/editor/authentication.md  | 19 ++++++-----
 docs/settings/configuration.md | 60 ++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 8 deletions(-)

diff --git a/docs/editor/authentication.md b/docs/editor/authentication.md
index 25c9f5a..4c359d2 100644
--- a/docs/editor/authentication.md
+++ b/docs/editor/authentication.md
@@ -74,18 +74,21 @@ docker run \
 
 ### File-Based Passwords
 
-Instead of passing passwords as environment variables, you can mount them as files.
-This is useful with Docker secrets or mounted credential files.
+Instead of passing passwords as environment variables, you can mount them as files
+*(useful with Docker secrets or Kubernetes `Secret` projections)*.
+Point the variable at the file with the `file:` prefix, or mount the file at the
+convention path and leave the variable unset.
 
-- <EnvVar group="auth" name="password_file" />
-- <EnvVar group="auth" name="password_hashed_file" />
-
-```sh{3-4}
+```sh{2-3}
 docker run \
-  ghcr.io/kloudkit/workspace:v0.2.1 \
-  -v ./my_hashed_password.txt:/run/secrets/workspace/auth_password_hashed
+  -e WS_AUTH_PASSWORD_HASHED=file:/run/secrets/workspace/auth/password_hashed \
+  -v ./password_hashed.txt:/run/secrets/workspace/auth/password_hashed:ro \
+  ghcr.io/kloudkit/workspace:v0.2.1
 ```
 
+See [Resolving Secret Values](/settings/configuration#resolving-secret-values)
+for the full resolution chain and Kubernetes example.
+
 ### Rate Limiting
 
 The workspace has a built-in throttling mechanism to rate-limit password authentication
diff --git a/docs/settings/configuration.md b/docs/settings/configuration.md
index ef71323..41cb9fc 100644
--- a/docs/settings/configuration.md
+++ b/docs/settings/configuration.md
@@ -2,6 +2,8 @@
 see:
   - name: Editor Settings
     link: /editor/settings
+  - name: Secrets
+    link: /settings/secrets
 ---
 
 # Configuration
@@ -34,6 +36,64 @@ Such variables can be reviewed in the [global variables](#global-variables) sect
 To enable a boolean environment variable, set it to a *truthy* value, either `1` or `true`.
 :::
 
+## Resolving Secret Values
+
+Secret-shaped variables resolve through a four-step chain so the same property works across
+Docker and Kubernetes without `_FILE` companions:
+
+- <EnvVar group="auth" name="password" />
+- <EnvVar group="auth" name="password_hashed" />
+- <EnvVar group="auth" name="github_token" />
+- <EnvVar group="secrets" name="master_key" />
+- <EnvVar group="server" name="ssl_cert" />
+- <EnvVar group="server" name="ssl_key" />
+
+The resolver returns the first match:
+
+1. **Env literal:** `WS_X=value`.
+2. **`file:` prefix:** `WS_X=file:/path` reads the file *(one trailing newline stripped, internal newlines preserved)*.
+3. **Convention default:** mount a file at `/run/secrets/workspace/<group>/<property>` and leave
+   the variable unset.
+4. **Schema default:** typically unset.
+
+::: code-group
+
+```sh [Env literal]
+docker run \
+  -e WS_AUTH_PASSWORD=super_duper_secret \
+  ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```sh [file: prefix]
+docker run \
+  -e WS_AUTH_PASSWORD=file:/run/secrets/workspace/auth/password \
+  -v ./password.txt:/run/secrets/workspace/auth/password:ro \
+  ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```yaml [Kubernetes]
+volumes:
+  - name: workspace-secrets
+    secret:
+      secretName: workspace-secrets
+      items:
+        - key: password
+          path: auth/password
+containers:
+  - name: workspace
+    volumeMounts:
+      - name: workspace-secrets
+        mountPath: /run/secrets/workspace
+        readOnly: true
+```
+
+:::
+
+::: tip
+`ws-cli show env <KEY>` reports where the value came from: `env-set`, `env-file`,
+`secret-file-default`, or `yaml-default`.
+:::
+
 <!--@include: ../partials/environment-variables.md -->
 
 ## Deprecated